More than half of 250 anti-virus applications available in Google's Play Store offer insufficient protection against malicious software, a security software testing firm reports.

Austria-based AV Comparatives warns that some of the security apps were so poorly engineered that they detected themselves as malware. About 10 percent of the apps tested appeared to come from amateur developers more focused on advertising and monetization than security.

"Some of the Android security products in our test blocked so few of the malware samples - in some cases literally none - that they cannot reasonably be described as anti-malware apps," AV Comparatives says in a research report.

The offering of so many ineffective or deceptive apps could prove confusing to users. The number of times an app has been downloaded is not an accurate metric of quality, and user reviews can be faked, AV Comparatives cautions.

Most of the tested apps had a review score of four or higher on Google Play's five-star scale, making it difficult for users to derive any meaningful, impartial information about an app's efficacy, AV Comparatives reports.

"A successful scam app may be downloaded many times before it is found to be a scam," the company says. "A recent 'last updated' date also does not seem to be a good quality indicator, as many low-scoring apps had relatively recent updates."

Malware Tests

For its tests, AV Comparatives ran 2,000 of the most common Android malware samples from last year through the 250 anti-virus products, checking their detection and false-positive rates.

The tests were conducted using physical phones - the Samsung Galaxy S9 - which ran Android 8.0, known as Oreo. Some security apps couldn't run on Oreo; for those, AV Comparatives used Android 6.01 running on a Nexus 5 instead.

The tests were straightforward: Open the Google Chrome browser on a clean phone, download a malicious sample, open the .apk Android executable file in the file explorer app, then install and execute it.

More than half of the apps - 138 out of 250 - either detected 30 percent or less of the malicious samples or had high false-positive rates, meaning a non-malicious app gets flagged as being bad, AV Comparatives says.

Some apps failed a very basic test. AV Comparatives ran more than 100 legitimate apps through the scanners in an effort to gauge the false positive rate. "Several low-quality apps detected as malware a number of the 100 clean and popular apps from the Google Play Store," the company says.

Other security apps only seemed to be using black-and-white lists for virus detection. AV Comparatives says it found more apps this year doing this than it did during tests the organization conducted last year.

An example of an embedded whitelist in a security app (Source: AV Comparatives)

There can be risks in using whitelists. AV Comparative gives an example of JSON - JavaScript Object Notation - a whitelist that includes an entry for ".com.Adobe."

"While this entry means that all genuine apps made by Adobe (such as the Acrobat Reader app) will be regarded as safe, this mechanism also allows any malicious app to bypass the security scan, simply by using 'com.adobe.*' as its package name," AV Comparatives writes.

One unexpected twist: AV Comparatives found some anti-virus apps failed to add themselves to their own whitelist, which caused the app to flag itself as being malware.

Google Excises Apps

AV Comparatives says a handful of apps it tested have now been flagged by other security software as Trojans or "potentially unwanted applications," a category reserved for apps that may have some legitimate functionality but also sport other, questionable features, such as bombarding users with ads.

Google has removed security apps from 32 vendors from the Play Store in the last few months. AV Comparatives says it expects the company to remove more.

In many ways, the Android anti-virus scene is similar to the desktop scene a decade ago. In those days, researchers often found malware purporting to be anti-virus applications.

The desktop scams became more sophisticated later. Instead of masking malware as an anti-virus product, the questionable products did actually have anti-malware functions but at a much less effective level than the best AV products.

The promoters of low-quality anti-virus products used a variety of search engine optimization and other tricks to boost download rates. Some of the products were also wrapped in with questionable tech support schemes, which have come under repeated examination by the U.S. Federal Trade Commission.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.